Sony Interactive Entertainment (Sony) has confirmed that it suffered a data breach on May 28, 2023. The company said that the breach impacted thousands of current and former staff and their families in the United States. The breach was discovered on June 2, 2023, and the platform was immediately taken offline and the vulnerability was remediated. Sony launched a probe with the help of external cybersecurity experts and notified law enforcement. Sony said the incident was limited to the particular software platform and had no impact on any of its other systems.
Number of people affected
Sony Interactive Entertainment recently sent emails to current and former staff to inform them of relevant matters. The matter relates to the leakage of personal data. Sony said in the announcement that it had sent emails to 6,791 Americans. The company has also invited them to confirm their identity and restore services through Equifax before February 29, 2024.
Details of the breach
The breach was caused by a flaw in the MOVEit vendor software, which was discovered by Sony in early June 2023. Sony stated that this intrusion was initiated by attackers through a zero-day vulnerability in the MOVEit Transfer platform. The vulnerability tracking number is CVE-2023-34362, which is a high-risk SQL injection vulnerability. It can remotely execute arbitrary code. Due to this flaw, the malicious hackers had illegal access to data from the platform. However, after the discovery of the breach, Sony took care of the situation immediately. The compromised data included personal info such as names, addresses, Social Security numbers, and dates of birth.
Probe and response
Sony launched a probe with the help of external cybersecurity experts and notified law enforcement. According to Sony, the incident did not have any impact on any other of its systems apart from the MOVEit vendor software. However, all current and former staff now have emails from Sony informing them of the breach.
Gizchina News of the week
Multiple hackers claim responsibility
In late September 2023, multiple malicious actors claimed to have stolen data from Sony, with 3.14GB of data allegedly belonging to Sony posted on dark web hacking sites. Two different malicious actors claimed to have stolen data from the technology company.
One of the groups, RansomedVC, claimed to have stolen 260GB during a cyber attack against Sony. The group made attempts to sell the data for $2.5 million. The other group, MajorNelson, refuted RansomedVC’s claims and leaked a sample of the data for free.
Sony’s previous data breaches
Sony has suffered several data breaches in the past, including a major breach in 2011 that exposed the personal information of millions of users. In August 2017, a hacker group accessed Sony’s social media accounts and deleted data from Sony systems using a variant of the Shamoon virus.
In July this year, Clop ransomware group used the MOVEit vulnerability to launch large-scale attacks. Sony discovered the attack three days later and discovered unauthorized downloads. Sony later temporarily disconnected the Internet and fixed the related issues.
Impact of the breach
The breach has potentially exposed the personal information of over 6,000 people, specifically 6,791 Americans. The leaked data include names, addresses, Social Security numbers, and dates of birth. Hackers can use this data to steal the identity of the owners as well as for other malicious purposes.
Conclusion
Sony has confirmed a data breach that impacted thousands of current and former employees and their families in the United States. The cause of the breach is a flaw in the MOVEit vendor software. It led to a leak of personal information such as names, addresses, Social Security numbers, and dates of birth. Sony has launched an investigation with the help of external cybersecurity experts and notified law enforcement. The incident did not have any impact on any of Sony’s systems apart from the MOVEit software.
Author Bio
Efe Udin, the author of this article is an expert tech blogger who has been blogging for about seven (7) years. His expertise is on tech brand performance and the political interface between the government or government agencies and tech companies.